|
From: | Javier Fernandez-Sanguino |
Subject: | Re: [Tiger-devel] Request reclassification of fsys004i? |
Date: | Mon, 05 Apr 2004 11:43:58 +0200 |
User-agent: | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113 |
Ryan Bradetich wrote:
Hello all, I believe a reclassification of the following Tiger error should be reclassified:
[setuid stuff snipped]
Thoughts or any reason why this should be "INFO" instead of "ALERT"?
Although I basicly agree with you here, one of the reasons I would be careful when changing that to ALERT instead of INFO is that the setuid mappings for most systems are not up-to-date and, thus, accurate. This means that they cannot be trusted until tested and many of the checks (including the setuid check) might start to spit up errors because of out-of-date information.
We could make it configurable wether to generate ALERT or INFO messages in this case (so that people who trust their system information can fine-tune this) but I would be hesitant to make a generic change since this would mean a lof of false positives for most systems.
Notice this affects also check_perms, check_signatures and some other of the checks executed by find_files (that make use of 'signatures', 'suid_list' and 'file_access_list').
Regards Javier
[Prev in Thread] | Current Thread | [Next in Thread] |